{% extends "xss/base.html" %}

{# subtopic_name should match string in nav.html #}
{% set subtopic_name = 'Django Autoescaping' %}

{% block content %}

<p>All of the data on this page is passed through Django's automatic escaping routine, which escapes the 5 key XML characters. You can find the escaping routine for Django 1.2.1 <a href="http://code.djangoproject.com/browser/django/tags/releases/1.2.1/django/utils/html.py#L30">here</a>.</p>

<p>This 5 character escaping is very common in templating engines, but it doesn't provide provide full protection. Take a look at the CSS examples and examples without quotes.</p>

<form name="form" method="POST">

{{ render_form(xss_rules) }}

</form>

{% endblock content %}
